Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Challenges in the Enterprise. January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 2 Panelists Franchesca Walker,

Published byKristin Ray Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Challenges in the Enterprise. January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 2 Panelists Franchesca Walker,"— Presentation transcript:

1 Security Challenges in the Enterprise

2 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 2 Panelists Franchesca Walker, Director Enterprise Solutions Foundry Networks Eric Winsborrow, CMO Sipera Systems Shrikant Latkar, Sr. Mgr. Solutions Marketing Juniper Networks Mark Ricca, Sr. Analyst and Founding Partner IntelliCom Analytics

3 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 3 Security: Continued Strong Growth Integrated Security Solutions Forecast (Global, All Size Businesses) $0 $1.0 $2.0 $3.0 $4.0 $5.0 $6.0 20052006200720082009 2010 $B 9.2% CAGR Overall 10.7% CAGR Remote / SoHo

4 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 4 Security Challenges in the Enterprise Franchesca Walker, Marketing Director of Enterprise Solutions Foundry Networks, Inc

5 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 5 5 Many Malicious Attack Vectors & Vulnerabilities at each Layer ARP Poisoning MAC Flood AttackPort DoS AttackRogue Wireless AP ICMP Flood Attack TCP Syn Flood Attack SQL Slammer Worm SoBig Worm Malissa VirusSasser Worm Deep Throat MyDoom Worm CodeRed WormNimba Virus & Worm ICMP Smurf Attack False Route Injection BGP TTL Security Hole TCP TTL Attack TCP Timestamp Attack Rogue DHCP & DNS VLAN Flood Attack SPAM SIP DoS Attack Port Scan IP Port Scan TCP Ack Flood Attack Malicious TCP Packets CPU Rate Attack Datalink Layer Attacks Network Layer Attacks p2p Traffic Transport Layer Attacks Application Attacks CAM Table Overflow Attack VLAN Hopping Private VLAN Attack DHCP Starvation VIRUSESWORMS TROJANS UDP/TCP PROTOCOL ATTACKS ROGUE SERVICESUDP/TCP DOS ATTACKS ROUTING PROTOCOL ATTACKS NETWORK SERVICE ATTACKS L2 DOS ATTACKS L2 SERVICE ATTACKSL2 ROGUE SERVICES L3 DOS ATTACKS

6 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 6 6 Converged Voice & Data Security Network Switches, Routers, & Access Points Call Manager App & Web Servers NMS Zero-Day Anomaly IDSSignature IDS Traffic Samples (sFlow) Threat Control Radius, DNS, DHCP Multiple endpoints IEEE 802.1x + MAC Authentication Traffic Samples (sFlow) Access Policy Integrated Switch and AP Security Features DoS attack protection CPU protection Rate limiting Hardware-based ACLs DHCP, ARP, IP spoof protection Rogue AP detection & suppression Access policy enforcement Threat control enforcement Embedded sFlow traffic monitoring sFlow-based Anomaly + Signature Defense Closed Loop Security Open Source Applications

7 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 7 7 Convergence Network Security Allow only authorized users on the network –Authentication based on IEEE 802.1x, MAC address Control who has access to specific resources –802.1q VLANs Stop unauthorized traffic without impacting network performance –ASIC based, wire-speed ACLs Protect against security threats and DoS attacks –Network-wide monitoring (e.g. sFlow) –Threat detection and mitigation Rate limiting of known packet types Closed-loop mitigation using centralized IDS equipment and applications

8 Enterprise VoIP Security Challenges Eric Winsborrow, CMO Sipera Systems

9 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 9 Risk Management approach to Security Lower Risk Profile and Prioritization Optimum Prioritization Point of Diminishing Returns Security Priority and Spending Threat Potential VoIP 1.0 (closed) Risk Profile VoIP 2.0 (open) Risk Profile

10 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 10 IP PBX Voice/Data Center(s) The Need to Extend VoIP WAN/VISP Internet PSTN VISP Mobile worker Headquarters Remote worker Branch(es) Soft phones SIP Trunk

11 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 11 IP PBX Voice/Data Center(s) Extending VoIP - Challenges WAN/VISP Internet PSTN VISP Mobile worker Headquarters Remote worker Branch(es) Soft phones SIP Trunk Opening wide range of IP/UDP ports violates security policy Confidentiality/Privacy of signaling & media Strong authentication of device & user Policy enforcement & access control Phone configuration & management Spammer Hacker Rogue Device Rogue Employee Infected PC Protect IP PBX & phones Refresh UDP pinhole in remote/home firewall

12 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 12 Risk Management approach to VoIP/UC Establish POLICY Establish POLICY Assess RISK Assess RISK Implement PROTECTION Implement PROTECTION Manage COMPLIANCE Manage COMPLIANCE ACCESS Secure Access Strong User authentication Call Admission Control Firewall/NAT traversal Privacy and Encryption Secure firewall channel Sipera VIPER Labs Vulnerability Research Threat signature development LAVA Tools Sipera VIPER Consulting VoIP/UC vulnerability assessment Best practices consultation Security workshops Comprehensive Protection for real-time communications DoS/Floods prevention Fuzzing prevention Anomaly detection/Zero-Day attacks Stealth attacks Spoofing prevention Reconnaissance prevention VoIP Spam Policy Compliance Call routing policies Whitelists/Blacklists Fine-Grained Policies by User, Device, Network, ToD Application controls IM logging and content filtering Compliance reporting

13 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 13 Conclusion Benefits of Unified Communications increase if VoIP network is extended But an enterprise needs to solve many issues –Privacy and authentication; firewall/NAT traversal; policy enforcement; VoIP application layer threats A Security Risk Management approach is needed –Elevate VoIP/UC in priority if using SIP or extending VoIP –Engage experts for best practices and risk evaluation –Create policies and protection specific to VoIP/UC

14 VoIP Security IT Expo East 2008 Shrikant Latkar shri@juniper.net

15 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 15 Concerns when Deploying VoIP Concerns about security Systems for managing and troubleshooting VoIP quality Concerns about interoperability between vendor’s equipment Not enough people to plan, design, implement, and manage VoIP Lack of budget Source: 2005/2006 VoIP State of the Market Report, Produced by Webtorials Percentage

16 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 16 Securing Voice is Critical

17 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 17 Evolving SIP Security Exploits will become more “creative” - Newer exploits are at Layer 7 Current security doesn’t address all attacks –SBCs cannot defend against many SIP vulnerabilities as the attack levels scale/grow Smartest Attacks Most Attacks Smarter Attacks Router Filters IP Spoof Detection DOS Filters Stateful Firewall Protocol ALG Application Aware Intrusion Prevention Need to evolve security to be scalable and more attack aware Customized attack defenses – specific foryour environment Rapid time between exploit found anddefense deployed Able to handle high volumes of attackingpackets

18 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 18 Protocols: SIP, H323 (RAS, Q931, H245), MGCP, Skinny Protocols: SIP, H323 (RAS, Q931, H245), MGCP, Skinny Identification: done by L4 port number (static) Identification: done by L4 port number (static) Functions: NAT, State checks, pinhole, anomalies, drop malformed packets Functions: NAT, State checks, pinhole, anomalies, drop malformed packets VoIP session correlation (beyond L3/L4) VoIP session correlation (beyond L3/L4) Application Screening: Flood attacks Application Screening: Flood attacks Coarser control: enable/disable all checks Coarser control: enable/disable all checks Protocols: SIP, H225RAS, H225SGN, MGCP Protocols: SIP, H225RAS, H225SGN, MGCP Identification: based on application data (PIAI) Identification: based on application data (PIAI) Functions: Protocol State, anomalies (more than FW checks); SIP sigs > 50 Functions: Protocol State, anomalies (more than FW checks); SIP sigs > 50 Custom signatures can be done Custom signatures can be done Logging (provides visibility) Logging (provides visibility) Flexibility in enabling signatures driven by policy Flexibility in enabling signatures driven by policy IPS/IDP Firewall

19 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 19 Defense Against VoIP Security Threats VoIP Security ThreatRamificationsDefense Technology Unauthorized access to PBX or voice mail system All voice communications fail FW with SIP attack protection IPS with SIP sigs/protocol anom DoS attack on PBX, IP Phone or gateway Hacker listens to voice mails, accesses call logs, company directories, etc. Zones, ALGs, policy-based access control Toll fraud Hacker utilizes PBX for long-distance calling, increasing costs VPNs, encryption (IPSec or other) Eavesdropping or man-in-the-middle attack Voice conversations unknowingly intercepted and altered Worms/trojans/viruses on IP phones, PBX Infected PBX and/or phones rendered useless, spread problems throughout network Policy based access control IPS with SIP protocol anomaly and stateful signatures IP phone spam Lost productivity and annoyance FW/ALGs, SIP attack prevention, SIP source IP limitations, UDP Flood Protection

20 January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 20 Additional VoIP resources available at www.juniper.net Q & A

Download ppt "Security Challenges in the Enterprise. January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA www.ITEXPO.com 2 Panelists Franchesca Walker,"

Similar presentations

www.itexpo.com October 10-13, 2006 San Diego Convention Center, San Diego California VoIP/SOA Integration Impact on IT Apps, Processes, & Overall Business.

October 10-13, 2006 San Diego Convention Center, San Diego California VoIP/SOA Integration Impact on IT Apps, Processes, & Overall Business.
The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer 651.796.7043

SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer
Addressing Security Issues IT Expo East 2011. Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006.

CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)
Solutions for SIP The SIP enabler We enable SIP communication for business What the E-SBC can do for you.

Solutions for SIP The SIP enabler We enable SIP communication for business What the E-SBC can do for you.
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.

1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.

Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.

SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

Similar presentations

Ads by Google